1 of 9

https://github.com/WICG/webpackage

Jeffrey Yasskin, Chromium

IETF 102

July 2018

Web Packaging

2 of 9

Web Packaging lets a publisher

bundle up their content,

sign it, and then

allow other people to distribute it.

3 of 9

Agenda

  1. Introductions
  2. Update on Chromium implementation
  3. Update on Specification progress
  4. Discussion of use cases that people may have for this work
  5. Interest in doing more?

4 of 9

Introductions

5 of 9

Specification progress

  • draft-yasskin-http-origin-signed-responses:
    • Test OID for the X.509 extension
    • RSA forbidden, and only must support secp256r1 ECDSA
    • mi-sha256 content encoding only
    • New file format to simplify parsing
    • Format will probably change again to improve forward-compatibility
  • draft-yasskin-wpack-bundled-exchanges:
    • Initial format specified.
    • TODO: Compression.
    • TODO: Signatures covering multiple resources.
  • In progress: Integration into the Fetch specification

6 of 9

Implementations

  • draft-yasskin-httpbis-origin-signed-exchanges-impl-00 demo'ed at Google I/O:
    • Packaging software deployed at Pinterest and Food Network: https://github.com/ampproject/amppackager.
    • Google Search indexes and caches signed exchanges containing AMP.
    • Chrome 67 shows the signed URL.
    • Quick Video / 2 min I/O Video
  • Chrome 69 will implement -impl-01.
    • More secure: checks for a certificate extension, OCSP, and SCT
  • Digicert implementing support for the certificate extension.
  • Cloudflare has a prototype that signs resources on demand.

7 of 9

Implementation Plans

  • Chrome planning an Origin Trial in the fall.
  • Currently trying to figure out compatibility plans:
    • How long can a publisher keep using an old draft version?
    • Can we auto-redirect to a working URL if the signed exchange is too old?
  • Very roughly hoping to ship next summer, even if standards process isn't finished.
    • How do we maintain flexibility to migrate everyone to the final standard and remove support for the draft after that?

8 of 9

Use Cases�From draft-yasskin-webpackage-use-cases-01

  • Offline P2P site sharing
  • Privacy-preserving prefetch
    • This, with other changes, lets Google Search treat AMP and non-AMP content alike.
  • Avoiding Slashdot effect
  • Censorship evasion
  • Cross-CDN Push (*P)

(*P) If privacy concerns are solved

  • Subresource Integrity
  • Presence in a Binary Transparency log
  • Appstore-like static analysis
  • Authenticated Archiving?
  • Bundling for download efficiency

9 of 9

Other discussion?